[ISN] Flaw in Microsoft's Word software could allow theft of files by bugging document with hidden code

From: InfoSec News (isnat_private)
Date: Fri Sep 13 2002 - 03:54:52 PDT

  • Next message: InfoSec News: "[ISN] Security vulnerabilities persist after IE 6 patch"

    AP Technology Writer 
    WASHINGTON (AP) - Microsoft's flagship word processor has a security
    flaw that could allow the theft of computer files by "bugging" a
    document with a hidden code, the company disclosed Thursday. It was
    exploring how to fix the problem and whether to extend the repair to
    an older version of the software still used by millions.
    The attack begins when a bugged document goes out, usually with a
    request to be revised and returned to the sender -- a common form of
    daily communication. When the document is changed and sent back, the
    targeted file accompanies it.
    "It has the potential of allowing people to get at data that they are
    explicitly not allowed to get to," said Woody Leonhard, who has
    written books on Microsoft's Word and Office software.
    The flaw would most likely occur in the workplace, where Word is the
    most prominent word processing program. Potential targets for theft
    are sensitive legal contracts, payroll records or e-mails, either from
    a hard drive or computer network, depending on the victim's access to
    "The issue appears to affect all versions of Microsoft Word,"  
    Microsoft said in a statement in response to questions by The
    Associated Press. "When the investigation is completed, we will take
    the action that best serves Microsoft's customers."
    Word 97, an earlier version of the program, is most susceptible to the
    attack. Microsoft said it is its policy to no longer repair Word 97,
    but said the company is still exploring the issue.
    A research firm reported in May that about 32 percent of offices have
    copies of Word 97 running, according to a survey of 1,500 high-tech
    managers worldwide.
    Analyst Laura DiDio of the Yankee Group said the companies are taking
    a risk by using such old software. But she said Microsoft should
    correct the problem because of its severity. "These are paying
    customers," DiDio said.
    Leonhard said Word 97 users "bought the package with full faith in
    Microsoft and its ability to protect them from this kind of exploit."
    Word 97 users may be able to get some help from through Microsoft's
    telephone tech support, company spokesman Casey McGee said. But,
    referring to Microsoft engineers, McGee said "there's only so far back
    they can go."
    The flaw involving Word 97 was discovered by Alex Gantman of cellular
    phone company Qualcomm and was released on the Internet last month.
    An attacker only has to place hidden codes in a Word document, which
    is sent to a would-be victim with a request for a response. If the
    recipient has Word 97 and revises the Word document, any file sought
    by the attacker will be hidden inside the Word document and sent back
    to the attacker.
    If the intended target uses Word 2000 or 2002, the most recent
    versions, the attack will only work if the Word document is printed
    first before a reply goes out to the attacker.
    After seeing Gantman's work on a public security e-mail forum,
    Leonhard found a similar flaw that affects recent Word versions even
    when a document is not printed. In this case, the stolen file is
    visible within the document, although the attacker can make it hard to
    Microsoft says that in both security flaws, an attacker would have to
    know the exact file name to be stolen and its location. But many
    critical files -- an address book or saved e-mails, for example -- are
    usually in obvious or predictable places on every Microsoft Windows
    Microsoft suggests users view hidden codes in every document they
    open. In Word 2002, the latest version, that can be done by selecting
    tools, options, then checking the "field codes" box. Many companies,
    however, use such codes for legitimate and harmless purposes.
    Leonhard said that if an attacker tries to steal a very large file,
    the victim might notice it when saving or e-mailing the bugged
    document. A smaller file might not get that attention.
    "It's very much dependent on the greed of the person fishing for a
    file," Leonhard said.
    On the Net: Microsoft: www.microsoft.com
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Sep 13 2002 - 13:00:03 PDT